While the legislation received royal assent in November last year, it actually takes rather longer for such a significant piece of legislation to be fully in place.

Earlier this month Lord Justice Fulford was appointed the first Investigatory Powers Commissioner, who will oversee the use of Investigatory Powers by public authorities. The Home Office said he will take on the statutory functions of the IPC "in due course".

The draft Codes of Practice aim to set out the detail of how the powers in the legislation can be used (if you want to comment, you've got until 6 April to respond) and are designed as a guide to the agencies that are allowed to use the powers.

One of the more controversial elements covered in the consultation is 'equipment interference', or the ability of spy agencies, police, and others to hack into devices or tech infrastructure to find information or conduct surveillance.

The consultation notes this equipment could include traditional computers or "computer-like devices such as tablets, smart phones, cables, wires and static storage devices", which could be hacked either from afar or by direct physically contact. Attacks could range from simply using someone's password to gain entry, to complicated attacks using zero-day exploits.

"Equipment interference operations vary in complexity. At the lower end of the complexity scale, an equipment interference agency may covertly download data from a subject's mobile device when it is left unattended, or an agency may use someone's login credentials to gain access to data held on a computer.

"More complex equipment interference operations may involve exploiting existing vulnerabilities in software in order to gain control of devices or networks to remotely extract material or monitor the user of the device."

The draft code includes some suitably James Bond-style examples to illustrate why the capabilities are needed.

"A military base is situated in a specific location known to be the centre for intercontinental ballistic missile research being undertaken by a country with hostile intentions against the UK. In order to track how the research is evolving and what types of systems are being developed, equipment interference is used to gather intelligence from that specific location," it explains at one point.

Much of the burden that the new act creates will fall on ISPs and tech companies.

"As a comprehensive and complex piece of legislation that puts on a legislative footing existing and new capabilities, we understand that the implementation of the Investigatory Powers Act will be in stages. While the Bill received some scrutiny as it passed through the parliamentary process, a large amount of detail will be left to codes of practice and secondary legislation," said Andrew Kernahan from the Internet Services Providers' Association ISPA UK.

"It is important that in implementing the legislation, the Home Office does so in as open and transparent manner as possible, one that includes robust checks and balances and safeguards. The legislation itself limits what a CSP can and can't reveal in a number of areas, but our members treat the balance between privacy of their customers and lawful requirements very seriously," he said.

One thing missing is a draft code of conduct on one of the most controversial aspects of the legislation: the retention of communications data which is now going to be published for consultation "in due course", according to the government. That likely means the retention of internet communications records, one of the key parts of the the law, has been delayed.

That's because late last year the European Court of Justice ruled that "general and indiscriminate retention" of internet browsing and email was unlawful, which means that the part of the legislation around the bulk collection of internet browsing records could be open to a legal challenge.

Civil liberties campaign group Liberty is challenging the "bulk" surveillance powers contained in the law, and has already applied to the High Court for permission to proceed in its legal challenge to lead to a judicial review of the law.

Privacy International is another campaign group, which has ongoing challenges in the UK and Europe to bulk communications data, bulk personal datasets, interception, and hacking.

Millie Graham Wood, legal officer at Privacy International, said there are plenty of potential ramifications from the Investigatory Powers Act: "Concerns about secret law developing behind closed doors, companies being gagged from revealing what they are being compelled to do, how Brexit will impact on the direction the UK takes in relation to mass surveillance and whether we lose out on protections that Europeans benefit from."

She said that while the UK has said it will comply with EU regulations, such as the General Data Protection Regulations, because to not do so would have a negative impact on the UK tech industry, how they intend to do that is unclear, as is whether it will restrain mass surveillance.

The equipment interference powers are another cause for concern. "Hacking, as undertaken by any actor, including the state, fundamentally impacts on the security of computers and the internet.

"It incentivises the state to maintain security vulnerabilities that allow any attacker -- whether GCHQ, another country's intelligence agency or a cyber criminal -- potential access to our devices. When deployed against networks or in 'bulk', hacking can undermine the security of all our communications, including those that form the core of financial transactions. These security concerns affect all communication service providers and the consumers who use their services," she warned.

The data collection elements are also a worry: "The sheer volume of retained data will be huge and be incredibly revealing. It will also be a honeypot for cybercriminals. Should we be worrying about when the next hack or data leak will be?"

She added: "Individuals will consequently face a reduction in their privacy and security, which could undermine trust in the entire communications system. The internet offers a democratic space in which personal exploration, growth, change and development is possible, and without trust in the systems that enable such exploration, such positive growth is curtailed."

Thank You

By registering you become a member of the CBS Interactive family of sites and you have read and agree to the Terms of Use, Privacy Policy and Video Services Policy. You agree to receive updates, alerts and promotions from CBS and that CBS may share information about you with our marketing partners so that they may contact you by email or otherwise about their products or services.
You will also receive a complimentary subscription to the ZDNet's Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe from these newsletters at any time.